Security Budgets: How To Get Your C-Suite’s Attention

During annual budget negotiations, there is always a question about spending priorities. As a security professional, I have found that if you want to get the executive suite’s attention, you have to frame your security budget proposals in terms of real business risk. You don’t want bogeyman-style, Fear Uncertainty and Doubt (FUD)-driven presentations but you do want an honest evaluation of the true risk of a cyber event to the business.

Don’t make these presentations too technical, at least in the beginning. You have to get your executives’ attention first or else you’ll wear them down with geek-speak long before you get to explain your pet project. I always begin with what I call the Business Heat Map.

Most mid-to-large size businesses have some form of this graphic to present to the Board of Directors on a regular basis. It usually shows the Top 10-15 business risks to the company on a grid. The X-axis shows how likely the threat that causes the risk will actually happen, usually presented as a range from “Remote” to “Almost Certain.” The Y-Axis shows the impact to the business if it does happen, presented as a range from “Very Low” to “Material” impact.

Your first battle is to make sure that cybersecurity risks make that Top 15 list. In other words, you’re not even in the budget conversation unless the C-Suite acknowledges that there is actual business risk from a cyber vector along with the other risks that causes them concern: pending lawsuits, M&A Activity, loss of reputation, and so on.

Explaining Cybersecurity As A Compelling Risk

Once I’ve established cybersecurity as a compelling risk, I like to build a Cyber Risk Heat Map just for the category, and show all of the cybersecurity risks that you and your team are tracking.

Again, this discussion with your budget makers shouldn’t be technical — it is an overview, explained for an executive audience. We are not trying to show the 1,000 potential ways that an adversary can get into the network. We are trying to show the C-suite who the adversary is.

A good way to start is by putting the most likely cyber adversary motivations on the heat map:

Cyber espionage

Cyber crime

Cyber hacktivism

Cyber terrorism

Cyber warfare

Disgruntled employee

I would cheat a bit and add “insider threat” to the map because the question always comes up. That’s a cheat because an insider threat can come in the form of any of these cyber adversary motivations – it’s really more of a tactic and not quite a “motivation.” But if you add it to the list of what to explain, you’ll head off questions about your chart.

Where you place these adversary motivations on your heat map is likely to be different depending on your business sector. A financial services business, for example, might place cyber crime high and to the right on the heat map, whereas a manufacturing business might have it low and to the left.

It’s helpful to provide at least one real world, preferably recent example of each of these adversary motivations to show what the cost was to the business. A few years ago, for example, a disgruntled employee at Steven E Hutchins Architects destroyed seven years of customer data as well backup data. It cost the business $2.5 million to restore it.

The cyber adversary motivations that migrate to the top right of your Cyber Risk Heat Map are the risks you are trying to reduce. When you put Cyber Risk in the Top 15 of the overall Business Heat Map, the cyber adversary motivations that are in the top right of the Cyber Risk Heat Map are what you are referring to.

Explaining Mitigation

The next step is to show how you, as the security professional managing the infrastructure, mitigate those risks. Again, this is not a technical discussion – it’s an approach. I’d begin by discussing the Cyber Kill Chain.

Regardless of the motivation, every adversary will follow the Kill Chain approach into your network to be successful:

Adversaries have to be successful at all seven links in the Kill Chain to accomplish their overall objective. The defense only has to be successful once in the Kill Chain to stop them, however, and a good strategy is to place mitigation controls at each level of the Kill Chain and monitor for activity.

At this point, it’s useful and illustrative to show examples of adversary activity down the Kill Chain for the past year; in other words, how far the attackers got down the Kill Chain and what we did about it. I’d close by evaluating the strength of our controls at each level in the Kill Chain. If I did everything correctly and pleaded my case, the weakest link in our Kill Chain defenses should be precisely the pet project that I am pushing in this year’s budget.

Conclusion

The process I described allows security practitioners to clinically evaluate the risks to the business. For example, cyber hacktivism is a very scary thing but perhaps the impact to the business, if it were to happen, would not be material. It might be serious, but even toward the lower end of a range depending on your business sector and who your customer base is.

So take a prescriptive approach. Instead of trying to convince the C-Suite to spend money on cyber defense because, you know, it is cyber and it is scary, you can show them exactly what they are spending the money for and why it’s important.